b'System Evaluation of the Integrated Personnel Security System (IPSS)\n\n\n               OIG-05-A-08         January 14, 2005\n\n\n            REDACTED FOR PUBLIC RELEASE\n\x0c                        OFFICE OF\n                 THE INSPECTOR GENERAL\n                       U.S. NUCLEAR\n                 REGULATORY COMMISSION\n\n\n                     System Evaluation of the Integrated\n                     Personnel Security System (IPSS)\n\n                       OIG-05-A-08 January 14, 2005\n\n\n\n\n              EVALUATION REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s Web site at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                             January 14, 2005\n\n\n\n\nMEMORANDUM TO:                Luis A. Reyes\n                              Executive Director for Operations\n\n\n\nFROM:                         Stephen D. Dingbaum/RA/\n                              Assistant Inspector General for Audits\n\n\nSUBJECT:                      SYSTEM EVALUATION OF THE INTEGRATED\n                              PERSONNEL SECURITY SYSTEM (IPSS) (OIG-05-A-08)\n\nAttached is the evaluation report titled, System Evaluation of the Integrated Personnel\nSecurity System (IPSS), conducted as part of the Office of the Inspector General\xe2\x80\x99s\nreview of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of the Federal\nInformation Security Management Act (FISMA) for FY 2004. Richard S. Carson &\nAssociates, Inc., performed this independent system evaluation on our behalf.\n\nBased on its review and evaluation of IPSS management, operational, and technical\ncontrols, Richard S. Carson & Associates, Inc., determined that IPSS has the following\nweaknesses:\n\n        Security test and evaluation was not comprehensive and was not independent.\n        Security documentation is not always consistent with National Institute of\n        Standards and Technology guidelines.\n        Security protection requirements are inconsistent within security documentation.\n\nThe weaknesses identified are not significant deficiencies or reportable conditions.\nDuring an exit conference on December 13, 2004, NRC officials provided comments\nconcerning the draft audit report and opted not to submit formal written comments to this\nfinal version of the report.\n\nIf you have any questions or wish to discuss this report, please call me at 415-5915 or\nBeth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution List\n\nB. John Garrick, Chairman, Advisory Committee on Nuclear Waste\nMario V. Bonaca, Chairman, Advisory Committee on Reactor Safeguards\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nDennis K. Rathbun, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Homeland Protection\n  and Preparedness, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research\n  and State Programs, OEDO\nEllis W. Merschoff, Deputy Executive Director for Reactor Programs, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nJacqueline E. Silber, Chief Information Officer\nTimothy F. Hagan, Director, Office of Administration\nFrank J. Congel, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nPaul E. Bird, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\nOPA, Region I\nOPA, Region III\nOPA, Region IV\n\x0c                          Office of the Inspector General\n                             System Evaluation of the\n                   Integrated Personnel Security System (IPSS)\n\n\n\n\n                            Contract Number: GS-00F-0001N\n                          Delivery Order Number: DR-36-03-346\n\n                                                 December 22, 2004\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                           System Evaluation of IPSS\n\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      On December 17, 2002, the President signed the E-Government Act of 2002 (Public Law\n      107-347), which includes the Federal Information Security Management Act (FISMA) of\n      2002. FISMA outlines the information security management requirements for agencies,\n      which include an independent evaluation of an agency\xe2\x80\x99s information security program\n      and practices and an evaluation of the effectiveness of information security control\n      techniques. FISMA also requires an assessment of compliance with requirements and\n      related information security policies, procedures, standards, and guidelines. As part of\n      the Fiscal Year 2004 FISMA independent evaluation of the Nuclear Regulatory\n      Commission\xe2\x80\x99s (NRC) information technology security program, Richard S. Carson\n      Associates, Inc. (Carson Associates) reviewed security controls for the Integrated\n      Personnel Security System (IPSS).\n\n      The Division of Facilities and Security (DFS), Office of Administration, maintains\n      personnel security information on employees in paper files and in an automated data\n      system referred to as the Personnel Security (PERSEC) Modules. In December 2003,\n      DFS implemented a new automated data system, IPSS, to replace the PERSEC Modules.\n      IPSS is intended to be more efficient and user-friendly with more reporting capabilities\n      than the PERSEC Modules, which are viewed as cumbersome and inadequate.\n\nPURPOSE\n\n      The system evaluation objectives were to review and evaluate the management,\n      operational, and technical controls for IPSS.\n\nRESULTS IN BRIEF\n\n      Carson Associates reviewed IPSS security documentation and found that security test and\n      evaluation was not comprehensive and was not independent, IPSS security\n      documentation is not always consistent with National Institute of Standards and\n      Technology (NIST) guidelines, and the security protection requirements are inconsistent\n      within IPSS security documentation. None of these weaknesses are considered to be\n      significant deficiencies or reportable conditions as defined in Office of Management and\n      Budget (OMB) FISMA reporting guidance.\n\n      Security Test and Evaluation Was Not Comprehensive and Was Not Independent\n\n      NIST Special Publication 800-37, Guide for the Security Certification and Accreditation\n      of Federal Information Systems, states that \xe2\x80\x9cSecurity certification is a comprehensive\n      assessment of the management, operational, and technical security controls in an\n      information system, made in support of security accreditation, to determine the extent to\n      which the controls are implemented correctly, operating as intended, and producing the\n      desired outcome with respect to meeting the security requirements for the system.\xe2\x80\x9d\n\n\n                                               i\n\x0c                                                                     System Evaluation of IPSS\n\n\n\nHowever, the security test and evaluation conducted on IPSS was not comprehensive, the\ntest results were not fully documented, and the testing was not performed by an\nindependent party.\n\nSecurity Documentation Is Not Always Consistent With NIST Guidelines\n\nFISMA directs the Secretary of Commerce, on the basis of standards and guidelines\ndeveloped by NIST, to prescribe standards and guidelines pertaining to Federal\ninformation systems. NIST has developed several guidelines and standards, including\nthose for conducting risk assessments, developing security plans, and developing\ncontingency plans. NRC Management Directive (MD) 12.5, NRC Automated\nInformation Security Program, which was revised in September 2003, states that NRC\nshall comply with NIST guidance to include guidance related to the preparation of\nsecurity documentation (such as system security plans, risk assessments, and contingency\nplans) and other applicable NIST guidance for information technology security processes,\nprocedures, and testing.\n\nThe previous version of MD 12.5 did not require compliance with NIST guidelines,\nhowever, OMB Circular A-130, Management of Federal Information Resources,\nAppendix III, Security of Federal Automated Information Resources, states that each\nagency\xe2\x80\x99s program shall implement policies, standards, and procedures which are\nconsistent with Governmentwide policies, standards, and procedures issued by OMB, the\nDepartment of Commerce, the General Services Administration, and the Office of\nPersonnel Management. OMB periodically reminds agencies that agency security\npractices should be consistent with NIST guidance. The FY 2004 FISMA guidance\nissued by OMB specifically states that agencies must follow NIST standards and\nguidance. Use of NIST guidance is flexible, provided agency implementation is\nconsistent with the principles and processes outlined within the NIST guidance.\n\nCarson Associates reviewed the IPSS Risk Assessment Report, System Security Plan,\nand Contingency Plan and found that while the documentation is up-to-date, it is not\nalways consistent with NIST guidelines.\n\nSecurity Protection Requirements Are Inconsistent Within Security\nDocumentation\n\nFISMA defines the term \xe2\x80\x9cinformation security\xe2\x80\x9d to mean protecting information and\ninformation systems from unauthorized access, use, disclosure, disruption, modification,\nor destruction in order to provide confidentiality, integrity, and availability.\nConfidentiality is preserving authorized restrictions on information access and disclosure,\nincluding means for protecting personal privacy and proprietary information. Integrity is\nguarding against improper information modification or destruction, and includes ensuring\ninformation non-repudiation and authenticity. Availability is ensuring timely and reliable\naccess to and use of information. Confidentiality, integrity, and availability are often\nreferred to as security protection requirements or security objectives for a system. The\nsecurity protection requirements defined in the IPSS System Security Plan and in the FY\n2003 and FY 2004 IPSS self-assessments are inconsistent.\n\n\n                                         ii\n\x0c                                                                        System Evaluation of IPSS\n\n\n\n\nRECOMMENDATIONS\n\n     This report makes eight recommendations to the Executive Director for Operations to\n     strengthen management, operational, and technical controls for IPSS. A consolidated list\n     of recommendations can be found on page 15 of this report.\n\nAGENCY COMMENTS\n\n     On December 13, 2004, the Executive Director for Operations provided comments\n     concerning the draft system evaluation report. None of the comments required\n     modifications to the report.\n\n\n\n\n                                            iii\n\x0c                                  System Evaluation of IPSS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                          System Evaluation of IPSS\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nDFS      Division of Facilities and Security\nFIPS     Federal Information Processing Standards\nFISMA    Federal Information Security Management Act\nFY       Fiscal Year\nIPSS     Integrated Personnel Security System\nMD       Management Directive\nNIST     National Institute of Standards and Technology\nNRC      Nuclear Regulatory Commission\nOCIO     Office of the Chief Information Officer\nOIG      Office of the Inspector General\nOMB      Office of Management and Budget\nPERSEC   Personnel Security\nSP       Special Publication\n\n\n\n\n                                         v\n\x0c                                  System Evaluation of IPSS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                                    System Evaluation of IPSS\n\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose .................................................................................................................... 2\n\n3 Findings.................................................................................................................... 3\n    3.1     Security Test and Evaluation Was Not Comprehensive and Was Not Independent........3\n    3.2     Security Documentation Is Not Always Consistent With NIST Guidelines....................4\n    3.3     Security Protection Requirements Are Inconsistent Within Security Documentation ..12\n4 Consolidated List of Recommendations ............................................................. 15\n\n5 OIG Response to Agency Comments .................................................................. 17\n\n\nAppendix\n\n    Appendix A: Scope and Methodology ..................................................................................18\n\n\n\n\n                                                              vii\n\x0c                                  System Evaluation of IPSS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              viii\n\x0c                                                                                            System Evaluation of IPSS\n\n\n\n1        Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002 (Public Law 107-\n347), which includes the Federal Information Security Management Act (FISMA) of 2002.1\nFISMA outlines the information security management requirements for agencies, which include\nan independent evaluation of an agency\xe2\x80\x99s information security program and practices and an\nevaluation of the effectiveness of information security control techniques. FISMA also requires\nan assessment of compliance with requirements and related information security policies,\nprocedures, standards, and guidelines. As part of the Fiscal Year 2004 FISMA independent\nevaluation of NRC\xe2\x80\x99s information technology security program, Carson Associates reviewed\nsecurity controls for IPSS.\n\nIntegrated Personnel Security System\n\nThe Division of Facilities and Security (DFS), Office of Administration, maintains personnel\nsecurity information on employees in paper files and in an automated data system referred to as\nthe PERSEC Modules. In December 2003, DFS implemented a new automated data system,\nIPSS, to replace the PERSEC Modules. IPSS is intended to be more efficient and user-friendly\nwith more reporting capabilities than the PERSEC Modules, which are viewed as cumbersome\nand inadequate. IPSS provides DFS with functionality such as:\n\n    \xe2\x80\xa2    Tracking all personnel security processing activities related to the approval or denial of\n         an employment clearance and access authorization.\n    \xe2\x80\xa2    Tracking unescorted contractor access to NRC facilities.\n    \xe2\x80\xa2    Tracking due process procedures (i.e., denial, revocation, suspension and termination of\n         employment clearance or access authorization).\n    \xe2\x80\xa2    Tracking drug testing activities.\n    \xe2\x80\xa2    Tracking classified visits to NRC facilities.\n    \xe2\x80\xa2    Random selection and tracking of drug program participants.\n    \xe2\x80\xa2    Multiple drug testing reports.\n    \xe2\x80\xa2    Data consistency, confidentiality, integrity, and authentication.\n\nThe Security Branch within the Office of Administration, Division of Facilities and Security is\nthe IPSS system owner. The system is categorized as a Major Application.2 The IPSS security\n\n\n\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\nGovernment Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\nwhich expired in November 2002.\n2\n  An application that requires special attention to security due to the risk and magnitude of harm that would result\nfrom the loss, misuse, or unauthorized access to or modification of the information in the application.\n\n\n                                                          1\n\x0c                                                                                          System Evaluation of IPSS\n\n\n\ndocumentation was prepared while the system was still in the implementation phase3 of its life\ncycle. IPSS is now in the operational phase.4\n\nSystem Evaluation Process\n\nIPSS was evaluated by reviewing system documentation maintained by the Office of the Chief\nInformation Officer (OCIO). As recommended by OMB, Carson Associates reviewed the\nfollowing documents for adherence to standards and consistency with guidelines issued by NIST.\n\n    \xe2\x80\xa2   IPSS Risk Assessment Report, August 14, 2003.\n    \xe2\x80\xa2   IPSS System Security Plan, June 30, 2003, revised August 14, 2003.\n    \xe2\x80\xa2   IPSS Contingency Plan, July 25, 2003.\n    \xe2\x80\xa2   IPSS Security Test Plan, July 25, 2003.\n    \xe2\x80\xa2   Certification Memorandum, October 1, 2003.\n    \xe2\x80\xa2   Accreditation Memorandum, October 6, 2003.\n    \xe2\x80\xa2   Privacy Impact Assessment.\n    \xe2\x80\xa2   FY 2003 and draft FY 2004 IPSS Self-Assessment.\n\nThe documents were reviewed to determine whether they are consistent with NIST guidance and\nwhether they describe the management,5 operational,6 and technical7 controls in place for IPSS.\n\n2       Purpose\n\nThe system evaluation objectives were to review and evaluate the management, operational, and\ntechnical controls for IPSS.\n\n\n\n\n3\n  A system\xe2\x80\x99s life cycle typically comprises five phases: initiation, development/acquisition, implementation,\noperation/maintenance, and disposal. In the implementation phase, the system is installed, acceptance testing is\nperformed, and users are trained.\n4\n  In the operation/maintenance phase, systems are in place and operating, enhancements and/or modifications to the\nsystem are developed and tested, and hardware and/or software is added or replaced.\n5\n  The security controls (i.e., safeguards or countermeasures) for an information system that focus on the\nmanagement of risk and the management of information system security.\n6\n  The security controls (i.e., safeguards or countermeasures) for an information system that primarily are\nimplemented and executed by people (as opposed to systems).\n7\n  The security controls (i.e., safeguards or countermeasures) for an information system that are primarily\nimplemented and executed by the information system through mechanisms contained in the hardware, software, or\nfirmware components of the system.\n\n\n                                                         2\n\x0c                                                                              System Evaluation of IPSS\n\n\n\n3         Findings\n\nCarson Associates reviewed IPSS security documentation and found that:\n\n      \xe2\x80\xa2   The security test and evaluation conducted on the system was not comprehensive and was\n          not independent.\n      \xe2\x80\xa2   IPSS security documentation is not always consistent with NIST guidelines.\n      \xe2\x80\xa2   Security protection requirements are inconsistent within IPSS security documentation.\n\nNone of these weaknesses are considered to be significant deficiencies or reportable conditions\nas defined in OMB FISMA reporting guidance.\n\n3.1       Security Test and Evaluation Was Not Comprehensive and Was Not\n          Independent\n\nNIST Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of\nFederal Information Systems, states that \xe2\x80\x9cSecurity certification is a comprehensive assessment of\nthe management, operational, and technical security controls in an information system, made in\nsupport of security accreditation, to determine the extent to which the controls are implemented\ncorrectly, operating as intended, and producing the desired outcome with respect to meeting the\nsecurity requirements for the system.\xe2\x80\x9d However, the security test and evaluation conducted on\nIPSS was not comprehensive, the test results were not fully documented, and the testing was not\nperformed by an independent party.\n\nThe IPSS Security Test Plan, dated July 25, 2003, describes the software development life cycle\ntests most commonly used in the industry. The document describes the procedures for problem\nresolution, including problem identification, problem recording, problem tracking, problem\nresolution, and regression testing. The document includes a requirements map of requirement\nnumbers from the IPSS Design Document to the requirement area and a requirement description\nand relevant test scenario number. Each Test Scenario includes a Summary of Test Case\nOverview, objectives, test roles and test approach; step numbers; actions for the tester to execute;\nexpected results; description of the user\xe2\x80\x99s actions required to test the system; requirement being\ntested (where applicable); pass/fail indication, including the method used to complete the test (I-\ninspection, A-analysis, D-demonstration, T-test), and tester comments. Each test scenario also\nincludes a place to record the tester name, date tested, and any witnesses to the test.\n\nOFFICIAL USE ONLY PARAGRAPH REDACTED FOR PUBLIC RELEASE\n\n\n\n\nOFFICIAL USE ONLY PARAGRAPH REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                                  3\n\x0c                                                                               System Evaluation of IPSS\n\n\n\n(Paragraph continued from previous page) OFFICIAL USE ONLY PARAGRAPH\nREDACTED FOR PUBLIC RELEASE\n\n\n\n\nThe IPSS Security Test Plan described the process the tester should follow when failures or\nproblems are found; after the problem is resolved, the correction is tested again. If the failure or\nproblem is found during integration or system testing, then regression testing is also supposed to\nbe performed. However, there are several tests that appear to have been recorded first as a fail,\nthen changed to a pass. None of the pages where failures appear to be noted have an indication\nof what caused the test to fail, what corrections (if any) were made to the system to correct the\nerror, and when the test was repeated after the correction was made. The final IPSS Security\nTest Plan (and Report) delivered to NRC was actually a copy of the draft IPSS Security Test\nPlan, with the handwritten notes from the testing, and with the word \xe2\x80\x9cDraft\xe2\x80\x9d crossed out and\nreplaced with the word \xe2\x80\x9cFINAL\xe2\x80\x9d on the cover.\n\nThe contractor that developed the system performed the security test and evaluation. The IPSS\nSecurity Test Plan and Report stated that the assigned test personnel are not part of the product\ndevelopment staff, and therefore will be able to approach the testing from a non-biased\nperspective. However, none of the pages used to record the testing results contain the tester\nname, date tested, or witnesses to the test. Therefore, Carson Associates could not validate the\nindependence of the personnel performing the testing. To preserve the impartial and unbiased\nnature of the security certification, the certification agent should be in a position that is\nindependent from the persons directly responsible for the development of the information system\nand the day-to-day operation of the system. The certification agent should also be independent\nof those individuals responsible for correcting security deficiencies identified during the security\ncertification. The independence of the certification agent is an important factor in assessing the\ncredibility of the security assessment results and ensuring the authorizing official receives the\nmost objective information possible in order to make an informed, risk-based accreditation\ndecision. When the potential agency-level impact is moderate or high, certification agent\nindependence is needed and justified.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      1. Re-certify and re-accredit IPSS based on an independent, comprehensive, and fully\n         documented assessment of all management, operational, and technical controls.\n\n3.2      Security Documentation Is Not Always Consistent With NIST Guidelines\n\nFISMA directs the Secretary of Commerce, on the basis of standards and guidelines developed\nby NIST, to prescribe standards and guidelines pertaining to Federal information systems. NIST\nhas developed several guidelines and standards, including those for conducting risk assessments,\ndeveloping security plans, and developing contingency plans. NRC Management Directive\n\n\n\n                                                 4\n\x0c                                                                                             System Evaluation of IPSS\n\n\n\n(MD) 12.5, NRC Automated Information Security Program, which was revised in September\n2003, states that NRC shall comply with NIST guidance to include guidance related to the\npreparation of security documentation (such as system security plans, risk assessments, and\ncontingency plans), and other applicable NIST guidance for information technology security\nprocesses, procedures, and testing.\n\nThe previous version of MD 12.5 did not require compliance with NIST guidelines, however,\nOMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of\nFederal Automated Information Resources, states that each agency\xe2\x80\x99s program shall implement\npolicies, standards, and procedures which are consistent with Governmentwide policies,\nstandards, and procedures issued by OMB, the Department of Commerce,8 the General Services\nAdministration and the Office of Personnel Management. OMB periodically reminds agencies\nthat agency security practices should be consistent with NIST guidance. The FY 2004 FISMA\nguidance issued by OMB9 specifically states that agencies must follow NIST standards and\nguidance. Use of NIST guidance is flexible, provided agency implementation is consistent with\nthe principles and processes outlined within the NIST guidance.\n\nCarson Associates reviewed the IPSS Risk Assessment Report, System Security Plan, and\nContingency Plan and found that while the documentation is up-to-date, it is not always\nconsistent with NIST guidelines.\n\nIPSS Risk Assessment Report Is Not Consistent With NIST Guidelines\n\nThe IPSS Risk Assessment Report, dated August 14, 2003, follows the guidance in NIST SP\n800-30, Risk Management Guide for Information Technology Systems. However, the Risk\nAssessment Report is not consistent with the referenced NIST document. Specifically, the Risk\nAssessment Report (1) contains several errors in the calculated risk levels, (2) does not include\nrecommendations for low level risks, and (3) OFFICIAL USE ONLY SENTENCE\nREDACTED FOR PUBLIC RELEASE and (4) only identified risks that are potential in the\nIPSS environment.\n\nThe IPSS Risk Assessment Report uses a series of tables to present the risk assessment results.\nThe following is a brief description of each of the tables.\n\n    \xe2\x80\xa2    Table E.5-1, Vulnerability/Threat Pairs, presents vulnerability/threat pairs and includes\n         columns for vulnerability, threat-source, and threat action.\n    \xe2\x80\xa2    Table E.5-4, Likelihood Rating, presents the likelihood10 for each vulnerability/threat\n         pair.\n    \xe2\x80\xa2    Table E.5-6, Magnitude of Impact, presents the magnitude of impact11 for each\n         vulnerability/threat pair.\n\n8\n  NIST is part of the Technology Administration within the Department of Commerce.\n9\n  OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct, dated August 23, 2004.\n10\n   Likelihood is the probability that a potential vulnerability may be exploited within the make-up of the associated\nthreat environment.\n\n\n                                                          5\n\x0c                                                                                            System Evaluation of IPSS\n\n\n\n\n     \xe2\x80\xa2   Table E.5-9, Risk Level, presents the risk level for each vulnerability/threat pair. Risk\n         level is based on a combination of the likelihood rating and magnitude of impact.\n     \xe2\x80\xa2   Table E.5-10, Control Recommendations, presents recommendations to address the\n         vulnerabilities.\n     \xe2\x80\xa2   Table E.6-1, List of Recommended Security Control, summarizes the vulnerabilities\n         identified previously, and lists just the vulnerability with the recommended security\n         control.\n\nThe presentation of the risk assessment results in a series of tables rather than in one or two\nconsolidated tables makes is difficult for the reader to understand how the results in the separate\ntables relate to one another. For example, Table E.5-9 presents the risk level for each identified\nvulnerability. As stated previously, risk is based on a combination of the likelihood rating and\nmagnitude of impact. However, Table E.5-9 does not include the likelihood and impact levels\nused to calculate the risk, so the reader must go back to previous tables to verify the risk level\nwas calculated correctly.\n\nThe presentation of the risk assessment results in a series of tables also contributed to errors in\nthe following tables of the IPSS Risk Assessment Report.\n\n     \xe2\x80\xa2   One entry in Table E.5-9 has an incorrect risk level. The likelihood for this\n         vulnerability/threat pair was medium, and the impact low; therefore the risk level should\n         be low. However, the table lists the risk level as medium.\n     \xe2\x80\xa2   There are two vulnerability/threat pairs in Table E.5-10 with incorrect risk levels. Both\n         have a risk level of medium, when they should have a risk level of low.\n     \xe2\x80\xa2   Table E.6-1 is missing a vulnerability that was identified as medium risk.\n\nThe IPSS Risk Assessment Report only recommended security controls that could mitigate or\neliminate the identified high and medium level risks, but gave no rationale for excluding\nrecommendations for addressing the low level risks. The risk assessment should provide\nrecommendations for all risks, or a rationale for providing only recommended controls for high\nand medium level risks.\n\nNIST SP 800-30 recommends using vulnerability sources, system security testing, and a security\nrequirements checklist for identifying system vulnerabilities. The methodology needed to\nidentify vulnerabilities varies, depending on the system\xe2\x80\x99s phase in the life cycle. The system was\nin the implementation phase when the risk assessment was conducted. NIST SP 800-30 states\nthat identification of vulnerabilities for systems in this phase should include more specific\ninformation, such as the planned security features described in the security design documentation\nand the results of system certification test and evaluation. The IPSS risk assessment used only\nquestionnaires and interviews with personnel responsible for the system to identify technical and\nnon-technical vulnerabilities, resulting in identification of generic technical and non-technical\n\n\n11\n  Impact is the adverse impact of a security event in terms of loss or degradation of any, or a combination of any, of\nthe following three security goals: integrity, availability, and confidentiality.\n\n\n                                                          6\n\x0c                                                                               System Evaluation of IPSS\n\n\n\nrisk controls. The risk assessment did not include system security testing to identify actual\nvulnerabilities to IPSS.\n\nThe IPSS Risk Assessment Report stated that the vulnerability/threat pairs are those that are\npotential to the IPSS environment, and that more implementation specific recommendations\nwould be offered as part of the security plan. OFFICIAL USE ONLY SENTENCE\nREDACTED FOR PUBLIC RELEASE.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   2. Update the IPSS Risk Assessment Report to include:\n\n       \xe2\x80\xa2   Tables with accurate risk levels and all identified vulnerability/threat pairs.\n       \xe2\x80\xa2   Recommendations for all identified risks, or provide a rationale for providing only\n           recommended controls for high and medium level risks.\n       \xe2\x80\xa2   A complete risk assessment of actual threats and vulnerabilities to IPSS.\n\nIPSS System Security Plan Is Not Consistent With Guidance in NIST SP 800-18\n\nOMB A-130 states that security plans shall be consistent with guidance issued by NIST. NIST\nSP 800-18, Guide for Developing Security Plans for Information Technology Systems, provides\nan outline for a security plan and provides guidance on the content of the various sections. The\nFinal System Security Plan for IPSS, dated June 30, 2003, and revised August 14, 2003, deviates\nfrom the outline in NIST SP 800-18 in some places.\n\nNIST SP 800-18 recommends including the physical location and address of the office or\norganization responsible for a system. Section 2.2, Responsible Organization, of the IPSS\nSystem Security Plan contains no contact information \xe2\x80\x93 just the name of the office responsible\nfor IPSS. In addition, the IPSS System Security Plan does not list the full name of the\norganization owning the system, just Security Branch. Section 5.1.1 of the IPSS System Security\nPlan states that the system owner is the NRC, Personnel Security Section. This contradicts the\nstatement regarding the system owner in Section 2.2.\n\nNIST SP 800-18 also recommends including the name, title, organization, and telephone number\nof one or more persons designated to be the point(s) of contact for the system. Section 2.2 of the\nIPSS System Security Plan describes the responsibilities of the System Manager (noted as the\nProgram Manager\xe2\x80\x99s role in the IPSS System Security Plan), but does not identify who this person\nis. The contact information for that role is not found until Section 2.8, Information Contacts.\nExamples in NIST SP 800-18 include the full address for each information contact, however the\nIPSS System Security Plan only includes name, phone number, and e-mail address.\n\n\n\n\n                                                 7\n\x0c                                                                             System Evaluation of IPSS\n\n\n\nNIST SP 800-18 recommends that the assignment of security responsibility be located in the first\nsection of the security plan. However, this information is not found in the IPSS System Security\nPlan until Section 5.1.1. NIST SP 800-18 also recommends including the name, title, and\ntelephone number for the security manager (and the example include the full address as well),\nhowever Section 5.1.1 of the IPSS System Security Plan only describes who has overall\nresponsibility for the security of the data. The contact information is located in Section 2.8. The\nsection on assignment of security responsibility also states that overall security management\ncontrols of the IPSS reside with the NRC OCIO, however the IPSS System Security Plan does\nnot include any contact information for the personnel within OCIO who have this responsibility.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   3. Update the IPSS System Security Plan to include:\n\n       \xe2\x80\xa2   Complete contact information for the responsible organization.\n       \xe2\x80\xa2   Consistent identification of the system owner.\n       \xe2\x80\xa2   Complete contact information for personnel supporting the system, including the\n           Program Manager, and other NRC organizations providing support.\n       \xe2\x80\xa2   Assignment of security responsibility in a section consistent with NIST guidance.\n       \xe2\x80\xa2   Complete contact information for personnel with security responsibilities, including\n           other NRC organizations with security responsibilities for the system.\n\nIPSS System Security Plan Does Not Describe All Security Controls Identified As In-Place\n\nNIST SP 800-18 states that the purpose of a security plan is to provide an overview of the\nsecurity requirements of the system and describe controls in place or planned for meeting those\nrequirements. NIST SP 800-18 also states that the security plan should fully identify and\ndescribe the controls currently in place, or planned for the system. However, Carson Associates\nfound several areas in the Final System Security Plan for IPSS, dated June 30, 2003, and revised\nAugust 14, 2003, where controls were not described.\n\nIn order to identify what controls are currently in place for IPSS, Carson Associates reviewed\nand analyzed the IPSS self-assessment and the results of security test and evaluation (ST&E)\nperformed during the certification and accreditation of IPSS.\n\nFISMA requires agencies to test the management, operational, and technical controls of every\ninformation system identified in their inventory no less than annually. OMB has instructed\nagencies to use NIST SP 800-26, Self-Assessment Guide for Information Technology Systems, to\nconduct the annual reviews. NIST SP 800-26 is based on the Chief Information Officer\nCouncil\xe2\x80\x99s \xe2\x80\x9cFederal Information Technology Security Assessment Framework\xe2\x80\x9d (the Framework).\nThe Framework comprises five levels to guide agency assessments of their security programs\nand assist in prioritizing efforts for improvement. Level 1 reflects that an asset has a\n\n\n\n                                                 8\n\x0c                                                                           System Evaluation of IPSS\n\n\n\ndocumented security policy. At Level 2, the asset also has documented procedures and controls\nto implement the policy. For Level 3, procedures and controls have been implemented to protect\nthe asset. Level 4 indicates that procedures and controls are tested and reviewed. Finally, at\nLevel 5, the asset has procedures and controls fully integrated into a comprehensive program.\n\nCarson Associates reviewed the FY 2003 IPSS self-assessment in order to identify controls in\nplace for IPSS. Any controls marked at least at a Level 3 in the IPSS self-assessment are\nconsidered to be in place based on the above definitions. The FY 2003 self-assessment was\nreviewed as the agency had only provided a draft of the FY 2004 self-assessment when the\nfieldwork was conducted.\n\nAs a result of the review of the IPSS System Security Plan and self-assessment, Carson\nAssociates identified several cases where the information in the IPSS System Security Plan and\nself-assessment is inconsistent. The following are some examples:\n\n   \xe2\x80\xa2   NIST SP 800-18 recommends a section on planning for security in the life cycle in the\n       discussion of management controls. The IPSS System Security Plan only describes what\n       phase the system is in, but does not discuss how security was handled during the\n       applicable life cycle phase. The FY 2003 self-assessment had controls for both the\n       initialization and deployment/acquisition phase all marked at Level 5, but none of the\n       controls were described in the IPSS System Security Plan.\n   \xe2\x80\xa2   NIST SP 800-18 recommends a section on incident response capability in the discussion\n       of operational controls. The IPSS System Security Plan does not include a section\n       specifically discussing incident response. The existence of an incident response\n       capability is alluded to in other sections of the IPSS System Security Plan. Based on\n       Carson Associates\xe2\x80\x99 knowledge of the NRC information security program, incident\n       response is a function of the OCIO. The IPSS System Security Plan should include a\n       discussion of this security control, even if it is brief and refers the reader to other\n       documents or personnel for more details.\n   \xe2\x80\xa2   OFFICIAL USE ONLY PARAGRAPH REDACTED FOR PUBLIC RELEASE\n\n\n\n\n   \xe2\x80\xa2   OFFICIAL USE ONLY PARAGRAPH REDACTED FOR PUBLIC RELEASE\n\n\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. Update the IPSS System Security Plan to include a section on planning for security in the\n      life cycle and a section on incident response capability.\n\n\n\n                                               9\n\x0c                                                                              System Evaluation of IPSS\n\n\n\n   5. Update the IPSS System Security Plan to describe all controls currently in place. In-\n      place controls are those marked at least at Level 3 in the self-assessment and that were\n      documented as passed in the last Security Test and Evaluation Report, or in any test and\n      evaluation on controls added since publication of that report.\n\n   6. Update the IPSS self-assessment to reflect controls in place. In-place controls are those\n      that were documented as passed in the last Security Test and Evaluation Report, or in any\n      test and evaluation on controls added since publication of that report.\n\nIPSS Contingency Plan Is Not Consistent With NIST Guidelines\n\nCarson Associates reviewed the IPSS Contingency Plan, dated July 25, 2003. Guidance on\ndeveloping contingency plans can be found in NIST SP 800-34, Contingency Planning Guide for\nInformation Technology Systems, which was published in June 2002. As recommended by\nOMB, Carson Associates reviewed the IPSS Contingency Plan for consistency with NIST\nguidelines and found that in some instances, the IPSS Contingency Plan is not consistent with\nNIST guidelines.\n\nNIST SP 800-34 describes one section of a contingency plan as a Concept of Operations section.\nThis section should provide additional details about the system, the contingency planning\nframework, and response, recovery, and resumption activities. NIST SP 800-34 recommends\nincluding a general description of the system covered in the contingency plan. The description\nshould include the system architecture, location(s), and any other important technical\nconsiderations. A system architecture diagram, including security devices (e.g., firewalls,\ninternal and external connections), is useful. The content for the system description can usually\nbe gleaned from the System Security Plan. The IPSS Contingency Plan does not include any\nkind of system description for IPSS, only minimum hardware configurations and a list of system\npriorities.\n\nNIST SP 800-34 states that personnel to be notified in the event of a disaster should be clearly\nidentified in the contact list appended to the plan. The list should identify personnel by their\nteam position, name, and contact information (e.g., home number, work number, pager number,\ne-mail addresses, and home addresses). However, the personnel contact information in the IPSS\nContingency Plan is not complete and not up-to-date. In addition, the personnel contact\ninformation is included within the document and not in an appendix as recommended by NIST\nSP 800-34. Section 2.2 of the IPSS Contingency Plan mentions assigned backups for the two\nkey positions identified for IPSS, but the document does not provide any information on these\nbackups, not even a name. In addition, the person identified as the IPSS System Manager is no\nlonger employed at NRC. Not having up-to-date contact information to reach the designated\npersonnel may cause delays in the disaster recovery process.\n\nNIST SP 800-34 describes roles and responsibilities, including a discussion of appropriate teams\nto implement the system recovery strategy. Each team should be trained and ready to deploy in\nthe event of a disruptive situation requiring plan activation. Recovery personnel should be\nassigned to one of several specific teams that will respond to the event, recover capabilities, and\nreturn the system to normal operations. The specific types of teams required are based on the\nsystem affected. The size of each team, specific team titles, and hierarchy designs depend on the\n\n\n                                                10\n\x0c                                                                             System Evaluation of IPSS\n\n\n\norganization. The contingency plan should include a section describing responsibilities,\nincluding the overall structure of contingency teams and the hierarchy and coordination\nmechanisms and requirements among the teams. The section also provides an overview of team\nmember roles and responsibilities in a contingency situation. The IPSS Contingency Plan\nincludes a list of contacts in Section 2.1, but the document does not describe the structure and\nmembership of the contingency teams.\n\nNIST SP 800-34 describes the fourth step of the contingency process as \xe2\x80\x9cdevelop recovery\nstrategies.\xe2\x80\x9d Thorough recovery strategies ensure that the system can be recovered quickly and\neffectively following a disruption. The fifth step is to develop the contingency plan. The\ncontingency plan should contain detailed guidance and procedures for restoring a damaged\nsystem. Procedures should be written in a stepwise, sequential format so system components\nmay be restored in a logical manner. The procedures should also include instructions to\ncoordinate with other teams when certain situations occur, such as when an action is not\ncompleted within the expected time frame, when a key step has been completed, when item(s)\nmust be procured, or other system-specific concerns.\n\nTo facilitate recovery phase operations, the contingency plan should provide detailed procedures\nto restore the system or system components. Recovery procedures should be written in a\nstraightforward, step-by-step style. To prevent difficulty or confusion in an emergency, no\nprocedural steps should be assumed or omitted. A checklist format is useful for documenting the\nsequential recovery procedures and for troubleshooting problems if the system cannot be\nrecovered properly.\n\nDespite these requirements, the IPSS Contingency Plan includes only three broad recovery\nstrategies and does not include specific technical details on how to implement these strategies or\nwhat steps are needed for testing system functionality after restoration from backup.\n\nNIST SP 800-34 defines the reconstitution phase as when recovery activities are terminated and\nnormal operations are transferred back to the organization\xe2\x80\x99s facility. The reconstitution phase\nshould specify teams responsible for restoring or replacing both the site and the system. The\nIPSS Contingency Plan does not contain procedures for restoring system operations that include\nprocedures for cleaning the alternate site of any equipment or other materials belonging to the\norganization, with a focus on handling sensitive information. These procedures are necessary to\nensure that no sensitive materials remain at the alternate site.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   7. Update the IPSS Contingency Plan to include:\n\n       \xe2\x80\xa2   A description of the system covered in the contingency plan. The description should\n           include the system architecture, location(s), and any other important technical\n           considerations. A system architecture diagram, including security devices (e.g.,\n           firewalls, internal and external connections), is useful.\n\n\n\n                                                11\n\x0c                                                                                            System Evaluation of IPSS\n\n\n\n\n          \xe2\x80\xa2   Complete and up-to-date contact information for all personnel, including backup\n              personnel responsible for implementing the IPSS Contingency Plan.\n          \xe2\x80\xa2   A description of the overall structure of contingency teams, including the hierarchy\n              and coordination mechanisms and requirements among the teams. The description\n              should include an overview of team member roles and responsibilities in a\n              contingency situation. Teams and team members should be designated for specific\n              response and recovery roles during contingency plan activation.\n          \xe2\x80\xa2   More detailed steps for recovery actions and assign procedures to the appropriate\n              recovery team(s).\n          \xe2\x80\xa2   Procedures for restoring system operations, with a focus on how to clean the alternate\n              site of any equipment or other materials belonging to the organization.\n\n3.3       Security Protection Requirements Are Inconsistent Within Security\n          Documentation\n\nFISMA defines the term \xe2\x80\x9cinformation security\xe2\x80\x9d to mean protecting information and information\nsystems from unauthorized access, use, disclosure, disruption, modification, or destruction in\norder to provide confidentiality, integrity, and availability. Confidentiality is preserving\nauthorized restrictions on information access and disclosure, including means for protecting\npersonal privacy and proprietary information. Integrity is guarding against improper information\nmodification or destruction, and includes ensuring information non-repudiation and authenticity.\nAvailability is ensuring timely and reliable access to and use of information. Confidentiality,\nintegrity, and availability are often referred to as security protection requirements or security\nobjectives for a system.\n\nFIPS Publication 199, Standards for Security Categorization of Federal Information and\nInformation Systems, requires all Federal agencies to categorize their systems by assigning\npotential impact levels to the three security objectives. The potential impact is low if the loss of\nconfidentiality, integrity, or availability could be expected to have a limited adverse effect on\norganizational operations, organizational assets, or individuals.12 The potential impact is\nmoderate (medium) if the loss of confidentiality, integrity, or availability could be expected to\nhave a serious adverse effect on organizational operations, organizational assets, or individuals.\nThe potential impact is high if the loss of confidentiality, integrity, or availability could be\nexpected to have a severe or catastrophic adverse effect on organizational operations,\norganizational assets, or individuals.\n\nThe IPSS System Security Plan defines protection requirements for IPSS as follows:\n\n      \xe2\x80\xa2   Confidentiality \xe2\x80\x93 High\n      \xe2\x80\xa2   Integrity \xe2\x80\x93 High\n      \xe2\x80\xa2   Availability \xe2\x80\x93 Medium\n\n\n12\n  Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are\nentitled under law.\n\n\n                                                          12\n\x0c                                                                              System Evaluation of IPSS\n\n\n\nHowever, the FY 2003 IPSS self-assessment and FY 2004 draft IPSS self-assessment define\nprotection requirements for IPSS as follows:\n\n   \xe2\x80\xa2   Confidentiality \xe2\x80\x93 High\n   \xe2\x80\xa2   Integrity \xe2\x80\x93 High\n   \xe2\x80\xa2   Availability \xe2\x80\x93 High\n\nThe protection requirements should be consistent across the security documentation for a\nsystem. A change in protection requirements could indicate a need to re-evaluate the risks to\nthe systems, especially if the change is from a lower rating to a higher one. If the protection\nrequirements have changed since the IPSS System Security Plan was finalized, then an\nexplanation for the change should be noted on the IPSS self-assessment.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   8. Update the IPSS System Security Plan and/or IPSS self-assessment to consistently define\n      the protection requirements (confidentiality, integrity, availability).\n\n\n\n\n                                                13\n\x0c                                  System Evaluation of IPSS\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              14\n\x0c                                                                               System Evaluation of IPSS\n\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Re-certify and re-accredit IPSS based on an independent, comprehensive, and fully\n       documented assessment of all management, operational, and technical controls.\n\n    2. Update the IPSS Risk Assessment Report to include:\n\n       \xe2\x80\xa2   Tables with accurate risk levels and all identified vulnerability/threat pairs.\n       \xe2\x80\xa2   Recommendations for all identified risks, or provide a rationale for providing only\n           recommended controls for high and medium level risks.\n       \xe2\x80\xa2   A complete risk assessment of actual threats and vulnerabilities to IPSS.\n\n    3. Update the IPSS System Security Plan to include:\n\n       \xe2\x80\xa2   Complete contact information for the responsible organization.\n       \xe2\x80\xa2   Consistent identification of the system owner.\n       \xe2\x80\xa2   Complete contact information for personnel supporting the system, including the\n           Program Manager, and other NRC organizations providing support.\n       \xe2\x80\xa2   Assignment of security responsibility in a section consistent with NIST guidance.\n       \xe2\x80\xa2   Complete contact information for personnel with security responsibilities, including\n           other NRC organizations with security responsibilities for the system.\n\n    4. Update the IPSS System Security Plan to include a section on planning for security in the\n       life cycle and a section on incident response capability.\n\n    5. Update the IPSS System Security Plan to describe all controls currently in place. In-\n       place controls are those marked at least at Level 3 in the self-assessment and that were\n       documented as passed in the last Security Test and Evaluation Report, or in any test and\n       evaluation on controls added since publication of that report.\n\n    6. Update the IPSS self-assessment to reflect controls in place. In-place controls are those\n       that were documented as passed in the last Security Test and Evaluation Report, or in any\n       test and evaluation on controls added since publication of that report.\n\n    7. Update the IPSS Contingency Plan to include:\n\n       \xe2\x80\xa2   A description of the system covered in the contingency plan. The description should\n           include the system architecture, location(s), and any other important technical\n           considerations. A system architecture diagram, including security devices (e.g.,\n           firewalls, internal and external connections), is useful.\n\n\n\n\n                                                 15\n\x0c                                                                        System Evaluation of IPSS\n\n\n\n\n   \xe2\x80\xa2   Complete and up-to-date contact information for all personnel, including backup\n       personnel responsible for implementing the IPSS Contingency Plan.\n   \xe2\x80\xa2   A description of the overall structure of contingency teams, including the hierarchy\n       and coordination mechanisms and requirements among the teams. The description\n       should include an overview of team member roles and responsibilities in a\n       contingency situation. Teams and team members should be designated for specific\n       response and recovery roles during contingency plan activation.\n   \xe2\x80\xa2   More detailed steps for recovery actions and assign procedures to the appropriate\n       recovery team(s).\n   \xe2\x80\xa2   Procedures for restoring system operations, with a focus on how to clean the alternate\n       site of any equipment or other materials belonging to the organization.\n\n8. Update the IPSS System Security Plan and/or IPSS self-assessment to consistently define\n   the protection requirements (confidentiality, integrity, availability).\n\n\n\n\n                                           16\n\x0c                                                                           System Evaluation of IPSS\n\n\n\n5      OIG Response to Agency Comments\n\nOn December 13, 2004, the Executive Director for Operations provided comments concerning\nthe draft system evaluation report. None of the comments required modifications to the report.\n\n\n\n\n                                               17\n\x0c                                                                                       Appendix A\n                                                                          System Evaluation of IPSS\n\n\nSCOPE AND METHODOLOGY\n\nTo perform the IPSS system evaluation, Carson Associates reviewed the system\xe2\x80\x99s security\ndocumentation, including the System Security Plan, Risk Assessment Report, self-assessment,\nContingency Plan, Security Test Plan, Certification and Accreditation documentation, and the\ncompletion of weaknesses addressed, if any, within the FY 2003 plan of action and milestones.\nComprehensive document checklists were used in the evaluation process.\n\nThe work was conducted from June 2004 to November 2004 in accordance with guidelines from\nthe National Institute of Standards and Technology, and best practices for evaluating security\ncontrols. Jane Laroussi from Carson Associates conducted the work.\n\n\n\n\n                                              18\n\x0c'